The European Commission says clearly that "The European Cyber-Security Act" was "agreed by EU negotiators in December 2018.

It is interesting to note that the European Commission's own information service, Europa, does not include an "Act" in the range of EU instruments. The first challenge, when considering the new law is, then, to find out its status.

Under EU law, reference is made to three types of "legislative act" and each law passed must fall into one of the three categories: There are Regulations, Directives and Decisions. There is two more classes, Recommendations and Opinions which are persuasive but not either compulsory or, for want of a better word, precedent. The three types of legislative act are defined as part of the heart and soul of the EU in the Treaty on the Functioning of the European Union (TFEU) which had been around in one form or another since The Treaty of Rome created the ancestor of the EU as it is now. The current version is much younger, being heavily modified by the Treaty of Lisbon in 2009 (and yes, reader, that's the one that includes Article 50 which has provided the escape pod for the UK but which also heavily (and possibly inadvertently) hampered its engines.

So, if the term "Act" is a generic term for legislative instrument, logically no single piece of legislation should be termed "Act" in its title for the simple reason that everyone needs to know what kind of Act it is. In this case, the Official Journal at EUR-Lex shows, in the introduction to the "Act" that is it, in fact, a Regulation (number (EU) 2019/881). Regulations are compulsory across all member states.

While the text was negotiated, the European Commission, says in December last year, the Regulation was adopted only on 19th April this year. This is remarkably rapid work.

The preamble the Regulation (now we know what it is, we can use its proper name) is extensive and provides a very useful primer for all the areas of concern that, not very long ago, were so far outside the scope of experience or dreams of ordinary people that hardly anyone was even looking in the direction of a parallel, virtual, electronic world. Even in 2009, the extent to which the internet would be used for intrusion (both welcome and unwelcome) into our lives was barely imaginable. Yes, we had seen instances of "hacking," "cracking" and "phreaking" for well over a decade and we were a decade into the socially life-changing applications then known as "Web 2.0."

The truth is that nothing has changed except the scale and sophistication of users and abusers - yet the fact that people trust computers and the things they read on them has not changed. Readers, especially those who think they are knowledgeable as to areas of risk, are urged to spend time going over that preamble. It is sobering in ways that such preambles are, almost always, not.

What, then, does the Regulation do? Sadly, this is not so impressive. It begins by restructuring ENISA, the EU Agency for Cyber-Security. Why sadly? It's because it implies that the previous structure was not properly defined and, history of government shows, once restructuring starts, it happens on a regular basis causing both costs to taxpayers and disruption to staff and their work. However, there are valid and important changes: now ENISA will be a permanent establishment, it will have a wider remit and improved resources (they say).

In particular "ENISA will have a key role in setting up and maintaining the European cybersecurity certification framework by preparing the technical ground for specific certification schemes and informing the public on the certification schemes as well as the issued certificates through a dedicated website." One almost groans when any announcement refers to a website for the simple reason that websites are now so integral to the functioning of society that when mention is made, it's almost like they are pleased with themselves - and that sounds woefully immature. And, it's sad to say, these days any form of certification is more a pain in the arse than a benefit: there are so many, issued by governments and corporations alike, that it certification fatigue is a thing.

There is even a question as to whether ENISA is needed at all: one of its functions is to "increase operational cooperation at EU level, helping EU Member States who would request it to handle cyber-security incidents, and supporting the coordination of the EU in case of large-scale cross borders cyber-attacks and crises." That, in other areas, is the job of Europol. Why not merge the two and have standardised processes and common data where only the content is different and where on-line offences can be integrated within the Europol framework?

It may be that the reason for that is that the EU is fettered by its own previous decisions: ENISA is "secretariat of the Computer Security Incidents Response Teams Networks. That is, in effect, an intelligence information clearing house similar to the national FIUs set up under the Money Laundering Directives. That, it could be argued, should have always been a part of Europol.

And so, in due course, when the EU works that out, there will be another Regulation and another restructuring. The certification business will remain in ENISA while the investigations and intelligence work will be amalgamated with Europol's existing computer-crime division and, when that happens (as we predict it will) our criticism of half-thought out restructuring will be shown to have been justified. The big hurdle to that will (cue laughter) be that by then each will have incompatible computer systems and data management and the costs of integration will be enormous and, either, be an excuse to pay big consultancies money that tax payers should not be required to pay or will be used as an excuse to reject a merged organisation.

Further Reading:

https://europa.eu/european-uni...
https://eur-lex.europa.eu/eli/...